Security
Rediflow protects project data, person data, and organisational structure. This section describes our threat model, implemented controls, and how to harden your deployment.
Contents
| Document | Description |
|---|---|
| Threat model | Assets, attackers, trust boundaries, and main threats |
| Security posture | Implemented controls and OWASP mapping |
| Deployment hardening | TLS, OIDC, secrets, and hardening checklist |
Quick reference
- Authentication: OIDC (Authentik). When configured, all non-public paths require login.
- Session: HttpOnly, SameSite=Lax, Secure in production. Rate limiting on login and OAuth callback.
- Data: PostgreSQL only. Parameterized queries. Optional Row Level Security for user settings and share links.
- Headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, HSTS, Content-Security-Policy.
- Supply chain: pip-audit and npm audit in CI. Lockfiles in version control.
For deployment guidance, see Security deployment.